CVE-2023-24535

Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GoCNA
---
---
CVEADP
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
VendorProductVersion
protobufprotobuf
1.29.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-google-protobuf
bullseye
1.25.0+git20201208.160c747-1
fixed
bookworm
1.28.1-3
fixed
sid
1.33.0-1
fixed
trixie
1.33.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-golang-protobuf-1-3
oracular
needs-triage
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
dne
jammy
dne
focal
dne
bionic
ignored
xenial
ignored
trusty
ignored
golang-github-golang-protobuf-1-5
oracular
needs-triage
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
dne
jammy
dne
focal
dne
bionic
ignored
xenial
ignored
trusty
ignored
golang-goprotobuf
oracular
dne
noble
dne
mantic
dne
lunar
dne
kinetic
ignored
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
google-guest-agent
oracular
not-affected
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
dne
Common Weakness Enumeration
References
https://github.com/golang/protobuf/issues/1530
https://go.dev/cl/475995
https://pkg.go.dev/vuln/GO-2023-1631
https://github.com/golang/protobuf/issues/1530
https://go.dev/cl/475995
https://pkg.go.dev/vuln/GO-2023-1631